Quiz Entry - updated: 2026.07.14
What are the two main access control methods and policies?
Two methods — DAC (the resource owner grants access) vs MAC (the system enforces access from fixed security labels) — and two policies — Open (allow unless denied) vs Closed (deny unless allowed).
The method answers who decides who gets access; the policy answers what the default is when nothing explicit says yes or no.
Methods — who controls access:
| Method | Who decides | Trade-off |
|---|---|---|
| Discretionary Access Control (DAC) | The owner of each resource grants/revokes access (e.g. Unix file permissions, "share this doc") | Flexible and convenient, but an owner can leak access — no central guarantee |
| Mandatory Access Control (MAC) | The system enforces a central policy from security labels (e.g. Secret/Top-Secret); even the owner can't override it | Very strict and leak-resistant, but rigid — used in military/government |
Policies — the default answer:
| Policy | Default | You then... | Risk |
|---|---|---|---|
| Open Policy | Allow all | explicitly deny specific access | Anything you forget to deny stays open — dangerous |
| Closed Policy | Deny all | explicitly grant specific access | Anything you forget to grant is simply blocked — fails safe |
Best practice: Use a Closed Policy (deny by default, grant only what's explicitly needed). This is the principle of least privilege: a forgotten rule then fails closed (blocked) instead of open (exposed).
Go deeper:
Discretionary access control (Wikipedia) — how owner-granted permissions (e.g. Unix file modes) work and where they can leak access.
Mandatory access control (Wikipedia) — label-based enforcement the owner can't override, as used in military systems and SELinux.